Secure message delivery using a trust broker

ABSTRACT

An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender&#39;s email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.

BACKGROUND

E-mail, short for electronic mail and often abbreviated to e-mail, email or simply mail, is a store-and-forward method of composing, sending, receiving, and storing messages over electronic communication systems. The term “e-mail” (as a noun or verb) applies to several different types of systems, including the Internet e-mail system based on the Simple Mail Transfer Protocol (SMTP), X.400 systems, and to intranet systems allowing users within an organization to e-mail each other. Intranets may use Internet protocols or X.400 protocols for internal e-mail service. Messages are exchanged between hosts using SMTP with software programs called mail transport agents (MTAs). Users can download their messages from servers with standard protocols such as the Post Office Protocol (POP) or Internet Message Access Protocol (IMAP), or, as is more likely in a large corporate environment, with a proprietary protocol specific to Lotus Notes or Microsoft Exchange Servers (e.g., Messaging Application Programming Interface (MAPI)/Remote Procedure Call (RPC)).

FIG. 1 is a block diagram that illustrates a typical sequence of events when a user sends an email message over the Internet. In block 110, a user Alice types in, or selects from an address book, the e-mail address of her recipient, types a message, and hits the “send” button using her mail user agent (MUA). Alice's MUA formats the message in Internet e-mail format and uses SMTP to send the message to the local MTA, in this case smtp.a.org, run by Alice's Internet Service Provider (ISP). The MTA reads the destination address provided by SMTP, in this case bob@b.org, and, in block 120, looks up the associated domain name in the Domain Name System (DNS) to find the mail exchange servers accepting messages for that domain. In block 130, the DNS server for the b.org domain, ns.b.org, responds with a mail exchange (MX) record listing the MX servers for that domain, in this case mx.b.org, a server run by the recipient's ISP. In block 140, Alice's MTA, smtp.a.org, sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the user Bob. In block 150, Bob presses the “get mail” button in his MUA, which picks up the message using POP or another suitable protocol.

One problem with email is that it is not very secure. As illustrated by FIG. 1, SMTP is a text-based protocol and messages using SMTP traverse the Internet, going through any number of servers, routers, and domains. Along any of these routes, the message can be easily intercepted and modified. Even if the message is not modified, an undesirable person may be able to view the message's contents, making email unsuitable for confidential business or personal information. Another problem is that email can be easily spoofed, or made to appear to come from someone other than the real sender. Spammers often used the text-based nature of SMTP to fill in whatever sender information is most likely to cause an unsuspecting recipient to read the message.

Many government, corporate, and organizational environments that depend on secure email have elected to operate private email servers that do not transmit email addressed to recipients within the organization over the Internet. Instead, these email servers transmit email over a secure corporate network, using either a local area network (LAN) or a virtual private network (VPN) in combination with LANs to create a secure channel to connect remote offices of the same organization. However, this does not help when members of these organizations need to send email to a member of another organization (e.g., when a Microsoft employee sends email to an Intel employee).

Other solutions require an initial exchange of certificates or keys between users that is difficult between large organizations. For example, two users can securely send email to one another by exchanging keys and using S/MIME (Secure/Multipurpose Internet Mail Extensions) or Pretty Good Privacy (PGP). Large organizations can encrypt the delivery of messages between them by exchanging certificates and using the Secure Sockets Layer (SSL) or other secure protocol (e.g., IPSEC) to transmit the email back and forth. It is not feasible for each organization to securely convey (e.g., hand carry) a storage medium full of keys to every other organization with which its members may want to securely exchange email. This type of solution does not scale well as the number of organizations increases, and does not allow communication between parties that have not previously met.

SUMMARY

An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. Email servers within each organization also have access to the organization's identity information (e.g., a public key). The email security system receives a new email message from a sender's client computer at the organization's internal email server. The system identifies the domain of the message recipient and sends a request from the sender's email server to the federation server to request a token for securely communicating with the recipient's email server. The recipient's organization has typically previously provided identity information to the federation server. The federation server verifies the sending email server's identity and sends the requested token for securely sending email to the recipient's email server. The email security system encrypts the email message at the sending email server using the received token and sends the encrypted email message to the recipient's email server. The recipient's email server receives the email message, decrypts the message using the recipient organization's identity information (e.g., a private key), and delivers the email message to the recipient's inbox. Thus, the email security system allows users belonging to two different organizations to send email securely.

This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that illustrates a typical sequence of events when a user sends an email message over the Internet.

FIG. 2 is a block diagram that illustrates components and a typical operating environment of an email security system, in one embodiment.

FIG. 3 is a flow diagram that illustrates the processing of a sender's email server to send secure email using the email security system, in one embodiment.

FIG. 4 is a flow diagram that illustrates the processing of a federation server of the email security system, in one embodiment.

FIG. 5 is a flow diagram that illustrates the processing of a recipient's email server to receive secure email using the email security system, in one embodiment.

DETAILED DESCRIPTION

An email security system is described that allows users within organizations that belong to a federation to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. The federation server may be composed of many actual servers, some hosted on the Internet and others hosted on premises at the organization, and may also be operated by a third-party unrelated to the organization. Each organization provides identity information (e.g., a certificate, public keys, shared secrets, and so on) to the federation server. Email servers within each organization also have access to the organization's identity information (including private keys, which are typically only accessible by the organization's email servers). For example, an administrator may set up each of the email servers with the identity information and provide the information to the federation server by mail, in person, or by another secure method (e.g., programmatically using web services). The email security system receives a new email message from a sender's client computer at the organization's internal email server. For example, a user using an email client application, such as Microsoft Outlook, may compose and send a message. The email security system identifies the domain or host of the message recipient by inspecting the message header (e.g., using SMTP) or properties (e.g., using MAPI). The system sends a request from the sender's email server to the federation server that (1) identifies the sender's email server as a part of the organization using the organization's identity information and (2) requests a token for securely communicating with the recipient's email server.

The email security system, via the federation server, verifies the sender email server's identity by comparing the received identity information with the previously provided identity information. If the information matches and the recipient's server has federated, then the federation server sends the requested token for securely sending email to the recipient's email server. This token can typically only be opened by the recipient organization's email servers, which have the recipient organization's private key. Along with the token, the federation server may also provide a key with which the sending server can encrypt the message. This key is also present in the encrypted token meant for the receiving server, so that the receiving server can retrieve the key and decrypt the message. The email security system encrypts the email message at the sender's email server using information sent with the received token and sends the encrypted email message to the recipient's email server. The email security system receives the email message at the recipient's email server, decrypts the message using the recipient organization's identity information. If there are no problems decrypting the message (i.e., it was encrypted with the expected key in the token), then the email security system delivers the email message to the recipient's inbox for retrieval by the recipient. Thus, the email security system allows users belonging to two different organizations to send email securely.

In some embodiments, the recipient's email server also verifies the identity of the sender's email server. When the federation server provides the token, the token may include a verification of the sender's identity signed by the federation server, so that the recipient's email server can know that the federation server verified the identity of the sender's email server. When the recipient's email server receives the encrypted message and decrypts the message, the recipient's email server also receives the verification of the sender's identity. In this way, the recipient's email server knows that not only was the email not tampered with after if left the sender's email server, but also that the sender's email server was not malicious by claiming the message came from some other organization.

The email security system provides numerous advantages. Each organization only has to provide its security information (e.g., certificates, tokens, public keys) to a single federation server or organization (that acts as a trust broker between the organizations), and then can securely exchange email with any other organization that has also provided its security information to the federation server. Users do not have to be aware that anything different has taken place, they simply send and receive messages as they always have, and behind the scenes their organization's email server allows them to securely exchange email with recipients at other organizations. Unlike user-to-user encryption methods, the email message does not need to be encrypted using a different key for each recipient, but rather only a different key for each organization. Thus, for a message addressed to multiple recipients at the same organization, the email security system can encrypt and send the message one time to all of the recipients rather than once to each recipient. The encryption provided by the email security system is secure regardless of how many hops or routes the message takes between the sender's email server and the recipient's email server. These and other advantages are described in further detail herein.

FIG. 2 is a block diagram that illustrates the components and typical operating environment of the email security system, in one embodiment. A first organization 210 contains one or more email servers 215 and one or more client computers 220 and 225. The email server 215 receives email messages to send from users of client computers 220 and 225 and provides an inbox for each user to receive email. The email server 215 and client computers 220 and 225 are typically connected over a secure network, such as a LAN. A second organization 230 similar to the first organization 210 contains one or more email servers 240 and one or more client computers 250 that communicate over an internal network. The first organization 210 and second organization 230 are connected together through an unsecured network 295, such as the Internet. The unsecured network 295 is connected to many other organizations, computers, routers, and so forth. A web client 290 is shown through which users can remotely connect to an organization, such as the first organization 210 over the unsecured network 295. The web client 290 typically connects to an organization using a separate security device, such as a smart card or hardware token associated with the user.

A federation server 260 or trust broker is also shown that provides tokens for securing email in the manner described herein. The federation server 260 contains a token store 270 that stores information provided by each organization, such as public keys, certificates for verifying the identity of requests from the organization, and so on. The federation server 260 makes it possible for each organization to trust each other by each delegating trust to the trust broker. Although single servers are shown in FIG. 2, such as for the federation server 260 or email server 215, those of ordinary skill in the art will recognize that few services are provided by a single server, and are more often provided by a cluster of servers for failover, redundancy, and improved availability. Thus, although a single server is often described herein for ease of description, the server could represent a cluster of servers or other load balancing arrangement using well-known techniques in the art.

The computing devices on which the system is implemented may include a central processing unit, memory, input devices (e.g., keyboard and pointing devices), output devices (e.g., display devices), and storage devices (e.g., disk drives). The memory and storage devices are computer-readable media that may be encoded with computer-executable instructions that implement the system, which means a computer-readable medium that contains the instructions. In addition, the data structures and message structures may be stored or transmitted via a data transmission medium, such as a signal on a communication link. Various communication links may be used, such as the Internet, a local area network, a wide area network, a point-to-point dial-up connection, a cell phone network, and so on.

Embodiments of the system may be implemented in various operating environments that include personal computers, server computers, handheld or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, digital cameras, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and so on. The computer systems may be cell phones, personal digital assistants, smart phones, personal computers, programmable consumer electronics, digital cameras, and so on.

The system may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, and so on that perform particular tasks or implement particular abstract data types. Typically, the functionality of the program modules may be combined or distributed as desired in various embodiments.

In some embodiments, the token provided to a sender's email server by the federation server is a Security Assertion Markup Language (SAML) token. SAML is an extensible Markup Language (XML) standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML assumes the principal (in this case each organization) has enrolled with at least one identity provider (the federation server). This identity provider is expected to provide local authentication services to the principal. However, SAML does not specify the implementation of these local services; indeed, SAML is not concerned with how local authentication services are implemented. Thus, a service provider relies on the identity provider to identify the principal. At the principal's request, the identity provider passes a SAML assertion to the service provider. Based on this assertion, the service provider makes an access control decision.

In some embodiments, the SAML assertions provided by the email security system contain a proof of possession key. The proof of possession key is a symmetric cryptographic key (e.g., a 128-bit symmetric key) that the sender's email server uses to encrypt the message. The proof of possession key is typically a symmetric key (e.g., 128 or 192 bytes in length or more). The proof of possession key is used to encrypt the message and is also present in the token that is encrypted with the recipient's organization public key, which means that the token can only be opened by the recipient organization (which holds the private key). Once the recipient organization opens the token, it extracts this key and decrypts the message. The recipient organization may also verify a signature of the sender of the message. If the message can be decrypted successfully and the signature of the sender can be verified, then the recipient organization knows that the message was not tampered with en route.

In some embodiments, the token provides a claim of the purpose of the token. For example, the token may indicate that a federation server provided it for the purpose of secure email. This can be useful for federation servers that distribute tokens for many different purposes, such as Microsoft's Live ID (formerly Passport). If an organization uses the same key for access to multiple services, it is helpful to know that an organization did not obtain a token for one purpose and use it for another. It is possible that the sending organization is granted access to use secure email, but not other services provided by the recipient organization. Thus, verifying the purpose claim allows the recipient organization to know that the token is being used only for its intended purpose.

In some embodiments, the security information that the email security system adds to a message is sent with the message as a Multipurpose Internet Mail Extensions (MIME) part. MIME allows messages sent using SMTP or other protocols to contain multiple parts for different purposes. For example, a message can be sent in both text and HyperText Markup Language (HTML) format, or can contain extra security data. Email clients can remove parts that they do not understand and provide the recipient with the parts that the email client does understand. Alternatively, the email security system may provide the security information using the Cryptographic Message Syntax (CMS), a standard for cryptographic protected messages that can be used to digitally sign, digest, authenticate, or encrypt any form of digital data.

In some embodiments, the email security system is used to exchange email messages between servers in the same organization. As discussed in the background, it is common to use a VPN to connect email servers of an organization at different sites. Using the email security system described herein, organizations can provide secure email delivery between remote sites of the same organization over the Internet without having to create a secure channel between each site. Although many organizations have offices at different sites, another usage of this scenario is for testing of new versions of an email server. For example, Microsoft can provide a testing lab for organizations to move a sampling of users (e.g., 500) over to a new version of Microsoft Exchange that is hosted at the testing lab. The organization would likely want to know that email exchanged between the organization's servers and Microsoft's test servers is secure. Thus, the email security system enables these and other useful scenarios.

In some embodiments, the sending email server adds control information to the email message before sending it to the recipient email server. For example, the sending email server may add control information that indicates that the email message has been virus scanned, run through a SPAM filter, and so on. Depending on the level of trust between the two organizations, the recipient organization may rely on the sending organization for performing any actions that the control information indicates, and not repeat those actions at the recipient server. For example, the recipient server may decide not to virus scan messages that a sending server indicates has already been virus scanned, much as if the two servers were part of the same organization.

FIGS. 3-5 are flow diagrams that illustrate the processes described herein from the perspective of the sender's email server, federation server, and recipient's email server respectively. These flow diagrams do not show all functions or exchanges of data, but instead they provide an understanding of commands and data exchanged under the system. Those skilled in the relevant art will recognize that some functions or exchange of commands and data may be repeated, varied, omitted, or supplemented, and other (less important) aspects not shown may be readily implemented.

FIG. 3 is a flow diagram that illustrates the processing of the sender's email server to send secure email using the email security system, in one embodiment. In block 310, the server receives a message from an email client within the organization. For example, a user of a client computer may send a message using Microsoft Outlook or another email client application. In block 320, the server identifies the domain of the recipient. For example, if the message uses SMTP, then the server receives one or more RCPT TO commands from the client that identify the message recipient. As another example, if the message uses MAPI, then the server accesses the message property containing the list of recipients. If the message has recipients at multiple domains, then the server repeats the following steps for each of the domains. In block 330, the sender's email server sends a request to the federation server to get a token for securely sending email to the recipient's email server. The request includes identity information for verifying the identity of the sender's email server to the federation server, and optionally a purpose for which the token is requested (e.g., secure email).

In block 340, the sender's email server receives the requested token and associated information. For example, the token may contain claims related to the security request, the proof of possession key, the sender's identity, and so forth encrypted using the public key of the recipient's organization. The proof of possession key is also sent in the unencrypted part of the token, so that the sending organization can use it to encrypt the message. In block 350, the sender's email server adds security information to the message and encrypts the message. For example, the security information may be added as extra MIME parts to the message and may include information such as control flags related to processing performed on the message. In some embodiments, the sender's email server creates a separate content encryption key and uses that key to encrypt the message. Then, the sender's email server encrypts the content encryption key with the proof of possession key and includes the encrypted content encryption key with the message. The receiver is able to get the proof of possession key from the token using the receiving organization's private key, and can decrypt the content encryption key using the proof of possession key. The email security system may encrypt and decrypt messages using any suitable cryptographic encryption algorithm, many of which are well known in the art. In block 360, the sender's email server sends the encrypted message to the recipient's domain, typically over an unsecure network. After block 360, these steps conclude.

FIG. 4 is a flow diagram that illustrates the processing of the federation server of the email security system, in one embodiment. In block 410, the server receives organization identity information for one or more organizations that want to use the services of the federation server as a trust broker with other organizations. In block 420, the federation server stores the identity information for later use. For example, the federation server may use a database to store information about each organization. Block 430 begins the main loop in which the federation server typically operates. In decision block 430, if the federation server has not received a token request, then the server loops to block 430, else the server continues at block 440. In block 440, having received a request the federation server verifies the request sender based on the organization that the request sender claims to be from, identity information provided in the request, and the previously stored identity information received from the organization. For example, the request may provide information signed with the private key of the organization that the federation server verifies using the public key of the organization stored in the identity information.

In decision block 450, if the sender is invalid, then the server continues at block 460, else the server continues at block 470. For example, the request may have been an attempt to appear as another sender (e.g., spoofing) to send SPAM to an organization. In block 460, the server denies the request and loops to block 430 to wait for the next request. The server may send a denial message or may simply discard the request and not respond at all. Prior to block 470, the server may optionally determine whether the recipient organization is participating in federation. If not, then the server may send a response to the sender's request indicating that a token for the recipient organization is not available. In block 470, the server retrieves the domain with which the request sender wants to communicate from the request and provides an appropriate token to the validated sender. The token may include the purpose of the token, the domain for which the token can be used, one or more keys, additional claims about the requestor or domain, and so forth. Using the token the sender can securely send email to the desired organization.

FIG. 5 is a flow diagram that illustrates the processing of the recipient's email server to receive secure email using the email security system, in one embodiment. In block 510, the recipient server receives an encrypted email message. For example, the recipient server may listen for messages through a connection to the Internet. In block 520, the recipient server attempts to decrypt the email message using a private key of the organization. As noted above in reference to FIG. 3, the message may be encrypted using a content encryption key that is itself encrypted and sent along with the message. The recipient's email server can use its private key to decrypt the proof of possession key in the token, and the proof of possession key to decrypt the content encryption key which is then used to decrypt the message. In decision block 530, if the decryption indicates that the email has been tampered with, then the server continues at block 540, else the server continues at block 550. In block 540, the server discards the email message. The server may send a rejection message to the email sender to help with diagnosing potential problems or may not to prevent denial of service attacks. The server also extracts additional information from the decrypted message that may have been added by the sending email server. For example, the message may contain a signature that authenticates the sending email server, one or more control flags, and other information. In block 550, the server verifies the message sender using information in the decrypted message. For example, if the message contains a sending server signature or proof of the sender's identity signed by the federation server, then the recipient server determines whether the signature is valid using the appropriate public key. In decision block 560, if the sender is invalid, then the server continues at block 540, else the server continues at block 570. In block 570, the server delivers the decrypted email message to the recipient's inbox. The recipient will later connect to the server with an email client and retrieve the message. The server may also process any control options sent with the message to determine whether the server should, for example, scan the message for viruses, check the message against a SPAM filter, and so forth.

In some embodiments, the email security system allows organizations to federate with particular other organizations. For example, an administrator may provide a list of organizations with which federated message delivery is desirable. When a sender sends a message to a recipient at an organization configured for federated delivery by the administrator, the email server sends the message using the process described herein. For other organizations, the email server may use traditional delivery methods.

From the foregoing, it will be appreciated that specific embodiments of the email security system have been described herein for purposes of illustration, but that various modifications may be made without deviating from the spirit and scope of the invention. For example, although the system is described primarily in the context of email, similar techniques could be applied to extend security to other forms of data exchange, such as instant messaging, application sharing, and so forth. As another example, although corporate email servers are used as examples, the system can also be used for general Internet email. ISPs (e.g., Comcast, EarthLink), Internet email providers (e.g., Microsoft Live Mail, Google Gmail), and any other types of email servers can use the techniques described herein to provide secure email exchange with other providers and organizations. Accordingly, the invention is not limited except as by the appended claims. 

1. A computer-implemented method for securely exchanging email between two email systems connected by an insecure network using a trust broker, the method comprising: receiving a message from an email client connected to a first email system; identifying a domain of a recipient of the message based on information associated with the message; sending a request to the trust broker requesting a token for securely sending email to a second email system associated with the recipient, wherein the trust broker manages security information for multiple email systems and provides tokens that assure an email system receiving a message that the received message is secure; receiving a response to the request that contains the requested token; encrypting the message using the received token; and sending the encrypted message to the second email system over an unsecure network.
 2. The method of claim 1 wherein the first email system is associated with a first organization and the second email system is associated with a second organization.
 3. The method of claim 1 wherein the first and second email systems are associated with the same organization but are connected via an insecure network.
 4. The method of claim 1 wherein identifying the domain of the recipient comprises reading the SMPT RCPT TO protocol information.
 5. The method of claim 1 wherein identifying the domain of the recipient comprises accessing a MAPI property containing message recipients.
 6. The method of claim 1 further comprising, if the message has recipients at multiple domains, repeating the steps of sending a request to the trust broker, receiving a response to the request, encrypting the message, and sending the encrypted message for each of the domains.
 7. The method of claim 1 wherein the request to the trust broker includes identity information for verifying the identity of the first email system email server to the federation server
 8. The method of claim 1 wherein the request to the trust broker identifies the purpose of the token as secure messaging.
 9. The method of claim 1 wherein the token includes information encrypted using a public key associated with the recipient's domain.
 10. The method of claim 1 wherein the token includes a proof of possession key.
 11. The method of claim 1 wherein encrypting the message comprises adding security information using S/MIME to the message.
 12. The method of claim 1 wherein encrypting the message comprises adding control flags to the message that specify processing that the first email system performed on the message.
 13. A computer system for delivering secure email between domains, the system comprising: a federation server component configured to collect organization identifying information, verify the identity of requesters, and distribute tokens for securely communication with organizations; a first email server component configured to send email communicate with the federation server to obtain tokens for securely communicating with domains associated with email recipients, and encrypt email messages using the obtained tokens; a second email server component configured to receive encrypted email, verify signature information of the first email server, decrypt email, and deliver email securely to recipients; and an unsecure network communicatively connected to the federation server component, first email server component, and second email server component.
 14. The system of claim 13 wherein the first email server sends email on behalf of a first domain, and the second email server receives email on behalf of a second domain.
 15. A computer-readable medium containing instructions for controlling a computer system to provide tokens for sending and receiving secure messages, by a method comprising: receiving a request for a token that verifies the identity of a request sender and contains a shared secret provided by a destination of a message, wherein the request contains an indication of an organization with which the request sender is associated; verifying the identity of the request sender based on the indication of the organization associated with the request sender and identity information accessible by the computer system about the organization. retrieving a domain with which the request sender wants to communicate from the request; providing the requested token to the sender with which the sender can send a secure message to the domain.
 16. The computer-readable medium of claim 15 further comprising, before receiving a request receiving organization identity information for one or more organizations that want to use the services of the federation server as a trust broker with other organizations and storing the identity information.
 17. The computer-readable medium of claim 15 wherein verifying the identity of the request sender comprises reading a signature from the request and using a public key of the organization to determine that the signature was signed with a private key of the organization.
 18. The computer-readable medium of claim 15 wherein verifying the identity of the request sender comprises determining whether the request sender is invalid, and when the request sender is invalid, denying the request.
 19. The computer-readable medium of claim 15 wherein the token includes a specified purpose of the token.
 20. The computer-readable medium of claim 15 wherein the token includes the domain for which the token can be used for secure communication. 